CVE-2025-2389
Published: 17 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2389 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Blood Bank Management System 1.0, published on 2025-03-17. The issue affects some unknown functionality in the file /admin/add_city.php, where manipulation leads to SQL injection that can be launched remotely.
Attackers with high privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L). Successful exploitation enables limited impacts on confidentiality, integrity, and availability.
Advisories from VulDB (ctiid.299888, id.299888, submit.516906) and the project site at code-projects.org provide further details, along with a GitHub repository at intercpt/XSS1/blob/main/SQL7.md disclosing the exploit publicly for potential use. No specific patches or mitigations are detailed in the initial disclosure.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in /admin/add_city.php enables exploitation of a public-facing web application (T1190), abuse of server software components such as the backend database (T1505), and collection of data from databases (T1213.006) via unauthorized queries.